IP tables are randomly blocking Internet connection when using open VPN
 

Hello everyone.

I hope this is the right place to post my question.I am running Raspbian (Debian) on my raspberry pi. it is connected to a VPN server, and I have had help to create these IP table rules, which I have put into: the /etc/rc.local file.this is the only way I could make the IP table rules, persistent and still have Internet connection when my system start up.

but the problem is that my systems outgoing connection (not lan), is getting blocked once or twice every day.if I restart the system, then I have an outgoing connection.but it is really frustrating, that I have to restart my system a couple of times every day.And not knowing when I have to restart.

here are my IP table rules:

So, is there any way I could make my system retain an outgoing Internet connection, without having to restart the system randomly? And I am streaming video from my raspberry pi, so I hope for a solution where I have a constant connection to it, over my home network. by this I mean a solution where I don't need to restart the system or the network interface.

I have also tried adding my VPN providers host names in the allow.host file.but this didn't change anything.

I really hope someone has an idea to what I can do.this problem has been bugging me for a year now, and I have heard a lot of positive things about this site. Fingers crossed and thanks for reading my post.

First of all, are all outgoing connections blocked or only the openvpn tunnel?
Check system logs for messages, we need to see exactly what happens.
What about "iptables-save"? That should save the rules and make them persistent.
This could happen if the openvpn remote server has changed ip. Does it use DHCP on it's WAN?
But that ip (remote vpn servers) is hardcoded in the config file, right? If not, if some way the ip is written to the config file at bootup, here you have the problem.
If the ip is hardcoded in the openvpn config file, then why that line "/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT"?

You are making the usual firewall mistake of blocking all ICMP packets, and thus creating communication problems which ICMP is designed to smooth out. Allow them.

I can't say for sure that this is causing your problem - but it certainly isn't helping ;)

Thank you for your reply.

As I can see, it is only the open VPN tunnel which is blocked. and the reason why I have these IP table rules, is because I want my Internet connection to be blocked in case that the connection to the VPN server is lost. The connection has not been blocked since the last Reboot (typical), but I will post the log file as soon as I can. Is there a specific log file I should look in?

Earlier I have used this command to log problems with the VPN tunnel:

tail -F /var/log/syslog

I will Give you the output of this command as soon as the connection drops.

I have already tried adding my IP table rules with the package called: iptables-persistent package
When I used this package with my rules, I did not have an outgoing connection through the VPN tunnel, and a reboot didn't solve that.that is why I thought it wouldn't make a difference with the iptable-save.

The person who help me create these rules, wrote this about the specific rule you mention:

Yes I will agree with you, that a specific number of IP addresses is being loaded into a file in open VPN.but I do not know where that is.if I do this command:

iptables -L -n

I am getting a whole lot of different IP addresses from my VPN host.
But the funny thing is, that if I run my system without IP table rules, and of course connected to my VPN service, I am getting an stable connection and I don't need to restart now and then.I also have a list of all the IP addresses my VPN service offers. but I don't know how I can use that to solve my problem.

I hope I have made myself understandable. I am not that fluent in Linux, so please Bear over with me! Looking forward to hear your response.

Hi brebs

I have never heard about ICMP packets before. could you tell me how I write these rules? And where should I place them in my IP table rules?

Could they look like this?

/sbin/iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

Ahaa! :)
I think I've got it, your VPN service has multiple ip's to use for it's tunnels and at random intervals the ip you connect to changes.
But you say you have a list of all the IP addresses your VPN service offers, so why not just add all those to your iptables rules? It won't really compromise your security.
Exactly, very sane this. It is your firewall (iptables) that blocks, so disabling it means = never blocked.

As for ICMP, if you need extremely high security you don't respond to ping, but normally I agree with brebs you should allow it / respond.
So add:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
(Can't test it right now, but I think I got it right.)

As for
I don't understand this - I understand what you're saying, I just don't understand why it's happening.

And of course, if all vpn-remote addresses already are allowed, give us this:
The result of iptables -L *when everything works* and the same when vpn is blocked.
You have public ip's there so maybe you don't want to post them. But just compare for yourself the output of "iptables -L" before & after, and compare it with the list of vpn addresses you have.

Okay, let's say you are right about the IP addresses.but where in the list of rules would I put them, and how would they look like?

Also for the ICMP rules, where Do I put them in?

It is not because I am lazy and do not want to Google this, but it is just too complex for me to understand.but I hope you are right about the IP addresses...seems logic :-)

No, you're both missing the point about ICMP. The "echo" part of ICMP is insignificant. Destination unreachable is *far* more important.

Just google "icmp blocking", and read e.g. this.

Rate-limit ICMP if you're paranoid, but if you're *normal*, then just allow *ALL* ICMP through. Or point to an actual present-day vulnerability regarding ICMP (ignoring the boring DoS) ;)

I will do this as soon as possible.my time at the computer is limited at the moment, but I really want to solve this problem.but I will report back soon!

Okay, I now have an error log:

I also did:

iptables – L –n

And I compare the IP addresses from when the tunnel was blocked, and when I had just restarted the System and the VPN was working. each output gave me 17 different IP addresses, and they were exactly the same in both incidents.

So what does this log tell you?

DPT=53 means destination port 53, i.e. DNS server lookups.

So, switch to a better DNS server? Use dnsmasq (easiest to set up) or unbound (a proper *recursive* DNS server) - either of them will cache your DNS.

192.168.1.1 is your DNS server according to those logs (port 53 UDP). In your iptables-rules you don't list allowing port 53 at all. The log specifically says you're blocking outbound DNS.

That rule should go before your OUTPUT reject rule because order matters. When your tunnel "stops working" ping by IP rather than DNS name and ensure that works (in your rules you're currently blocking ICMP ping). To allow ping...

If it does then it is most likely just a DNS problem and the above rule should fix it. Some websites working but others not indicates you cache some DNS before you tunnel and when the DNS cache expires for those hosts it seems to "stop working randomly".

Where is 192.168.1.1? Is it an interface on the same box as these iptables rules and VPN host? If so your rule should look something like this.

Blocking ICMP does not make much of a difference as far as your tunnel allowing traffic. Though I agree blocking it from your local networks is silly. You should allow it so clients have the ability to troubleshoot. Restrict ICMP to be allowed from local sources only.

I have a blog post where I share all of my firewall rules. Feel free to browse it and take any ideas you want. Also, I feel it is a little cleaner to create an /etc/iptables.rules file in iptables-save format and then add an iptables-restore command to /etc/rc.local.

I use this command to check whether or not the tunnel is working:
What kind of ping would you say this is? And can I still use the first rule you posted?

The IP address: 192.168.1.1
is my router.so what do you make of that?

I will have a look at your blog post.I just hope that I am able to understand any of it.:-)

By this you mean that the rule should be located ABOVE the reject output rule?

Sorry about all the questions..:-)

That's not a ping but an HTTP GET request over port 80. By ping I meant ICMP ping using the actual ping command. Yes, that first rule should fix your issue.

If that's your router then you only need that outbound rule I posted. Your router is routing DNS queries so it is the DNS server as far as your clients are concerned.


Yes that's what I mean. No need to apologize for curiosity. Also, re-read my last post. I heavily updated it with more examples.